How to create a DLP agent group based on AD group membership
search cancel

How to create a DLP agent group based on AD group membership

book

Article ID: 264410

calendar_today

Updated On: 05-05-2023

Products

Data Loss Prevention Core Package

Issue/Introduction

This KB will give an example of how to setup a DLP agent group based on a specific AD group.

Environment

Release : 15.x, 16.0

Resolution

Step 1: Create the Agent Attribute

Follow these steps to create the Agent attribute:

  • Browse to System > Agents > Agent Groups. Then click on "Manage Agent Attributes" in the top right corner of the Agent Groups screen.
  • Name the Agent attribute. For example "AD group membership"
  • Select user domain.
  • Use the following syntax for the search filter:
    (&(objectCategory=Person)(objectClass=User)(sAMAccountName=$LoggedinUser$))

  • Use the following for Active Directory Attribute:
    memberof

Sample Screenshot:

Click Save

On the next screen click "Apply Changes"

Step 2: Create the Agent group based off of the newly created Agent Attribute

  • Browse back to System > Agents > Agent Groups
  • Click New
  • Add a name for the group
  • Use the Select Agent Attribute drop down and select the Agent Attribute created in Step 1
  • In the value selection put the name of the Ad group you want the DLP agent group based off of and add an asterisk before and after. For example "*New hire*"
    Sample Screenshot:
  • Click Save
  • On the Agent Groups screen assign an agent configuration to the Newly created group

The group will now start to be applied to DLP agents where the logged in user is part of the specified group. This will happen over time as the agents check in with the detection server.

Explanation:

In Step 1 we created a DLP agent attribute by using a search filter to get the entire memberof AD attribute from the AD user object. This typically includes all of the groups that the AD user is in.  The value is the full LDAP response with multiple entries, for example: (CN=<group1 name>,OU=<OU Name>, OU=Groups,DC=<Domain>,DC=net CN=<group2 name>,OU=<OU Name>, OU=Groups,DC=<Domain>,DC=net). The actual value of the result can be viewed by using the query resolver tool.

In Step 2 we evaluate the entire string and use wild cards to search for the group name we want to check for, such as the "new hire" group. By adding the asterisks as wildcards in front and in back it searches the string for that value. If that value is found in the LDAP response for the user logged into the DLP agent machine, then the agent is added to that group.

This could be modified to be based on any value in the AD user object (compnay, department, state, etc) by changing the memberof attribute value in step 1 to the preferred AD user attribute.

This is an example / template of how the agent attributes can be used. DLP admins will need to work closely with AD / LDAP administrators to customize the solution to work best for their environment.

Important Notes:

  1. A DLP Agent can only be assigned to one group. If an agent meets the criteria for multiple groups the agent will show a group resolution conflict warning and stay in the last group it was in before the conflict.
  2. The LDAP information is from the client machine. DLP Agents do not have real time LDAP information and by default only update it once every 7 days or when the agent is restarted. See GroupResolution.DAYS_DATA_STALING.int in the docs for details.
  3. Agent groups do not determine if policies are applied or not. Agent groups are used to manage which agent configurations are implemented and in turn manage which channels and filters are applied.

Additional Information

See Also:

Viewing and managing agent groups in DLP. (broadcom.com)